reference grant

Author: aojea

.github/workflows/gateway.yml

@@ -116,10 +116,11 @@ jobs:
             --organization=sigs.k8s.io \
             --project=cloud-provider-kind \
             --url=https://github.com/kubernetes-sigs/cloud-provider-kind \
-            --version=test \
-            --contact=antonio.ojea.garcia@gmail.com \
+            --version=${{ github.sha }} \
+            --contact=https://github.com/kubernetes-sigs/cloud-provider-kind/issues/new \
             --gateway-class=cloud-provider-kind \
-            --supported-features=Gateway,HTTPRoute \
+            --conformance-profiles=GATEWAY-HTTP \
+            --supported-features=Gateway,HTTPRoute,ReferenceGrant \
             --report-output=./_artifacts/conformance.yaml
 
     - name: Export logs

pkg/controller/controller.go

@@ -304,6 +304,7 @@ func startCloudControllerManager(ctx context.Context, clusterName string, config
 			sharedGwInformers.Gateway().V1().Gateways(),
 			sharedGwInformers.Gateway().V1().HTTPRoutes(),
 			sharedGwInformers.Gateway().V1().GRPCRoutes(),
+			sharedGwInformers.Gateway().V1beta1().ReferenceGrants(),
 		)
 		if err != nil {
 			klog.Errorf("Failed to start gateway controller: %v", err)

pkg/gateway/controller.go

@@ -42,6 +42,7 @@ import (
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apimachinery/pkg/util/wait"
 	corev1informers "k8s.io/client-go/informers/core/v1"
@@ -55,9 +56,12 @@ import (
 	"sigs.k8s.io/cloud-provider-kind/pkg/config"
 	"sigs.k8s.io/cloud-provider-kind/pkg/tunnels"
 	gatewayv1 "sigs.k8s.io/gateway-api/apis/v1"
+	gatewayv1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1"
 	gatewayclient "sigs.k8s.io/gateway-api/pkg/client/clientset/versioned"
 	gatewayinformers "sigs.k8s.io/gateway-api/pkg/client/informers/externalversions/apis/v1"
+	gatewayinformersv1beta1 "sigs.k8s.io/gateway-api/pkg/client/informers/externalversions/apis/v1beta1"
 	gatewaylisters "sigs.k8s.io/gateway-api/pkg/client/listers/apis/v1"
+	gatewaylistersv1beta1 "sigs.k8s.io/gateway-api/pkg/client/listers/apis/v1beta1"
 )
 
 const (
@@ -113,6 +117,9 @@ type Controller struct {
 	grpcrouteLister       gatewaylisters.GRPCRouteLister
 	grpcrouteListerSynced cache.InformerSynced
 
+	referenceGrantLister       gatewaylistersv1beta1.ReferenceGrantLister
+	referenceGrantListerSynced cache.InformerSynced
+
 	xdscache        cachev3.SnapshotCache
 	xdsserver       serverv3.Server
 	xdsLocalAddress string
@@ -133,6 +140,7 @@ func New(
 	gatewayInformer gatewayinformers.GatewayInformer,
 	httprouteInformer gatewayinformers.HTTPRouteInformer,
 	grpcrouteInformer gatewayinformers.GRPCRouteInformer,
+	referenceGrantInformer gatewayinformersv1beta1.ReferenceGrantInformer,
 ) (*Controller, error) {
 	c := &Controller{
 		clusterName:              clusterName,
@@ -152,10 +160,12 @@ func New(
 			workqueue.DefaultTypedControllerRateLimiter[string](),
 			workqueue.TypedRateLimitingQueueConfig[string]{Name: "gateway"},
 		),
-		httprouteLister:       httprouteInformer.Lister(),
-		httprouteListerSynced: httprouteInformer.Informer().HasSynced,
-		grpcrouteLister:       grpcrouteInformer.Lister(),
-		grpcrouteListerSynced: grpcrouteInformer.Informer().HasSynced,
+		httprouteLister:            httprouteInformer.Lister(),
+		httprouteListerSynced:      httprouteInformer.Informer().HasSynced,
+		grpcrouteLister:            grpcrouteInformer.Lister(),
+		grpcrouteListerSynced:      grpcrouteInformer.Informer().HasSynced,
+		referenceGrantLister:       referenceGrantInformer.Lister(),
+		referenceGrantListerSynced: referenceGrantInformer.Informer().HasSynced,
 	}
 	_, err := gatewayClassInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
 		AddFunc: func(obj interface{}) {
@@ -279,6 +289,15 @@ func New(
 		return nil, err
 	}
 
+	_, err = referenceGrantInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
+		AddFunc:    c.processReferenceGrant,
+		UpdateFunc: func(old, new interface{}) { c.processReferenceGrant(new) },
+		DeleteFunc: c.processReferenceGrant,
+	})
+	if err != nil {
+		return nil, err
+	}
+
 	if config.DefaultConfig.LoadBalancerConnectivity == config.Tunnel {
 		c.tunnelManager = tunnels.NewTunnelManager()
 	}
@@ -430,6 +449,7 @@ func (c *Controller) Run(ctx context.Context) error {
 		c.namespaceListerSynced,
 		c.serviceListerSynced,
 		c.secretListerSynced,
+		c.referenceGrantListerSynced,
 	) {
 		return fmt.Errorf("timed out waiting for caches to sync")
 	}
@@ -463,6 +483,156 @@ func (c *Controller) processGateways(references []gatewayv1.ParentReference, loc
 	}
 }
 
+// processReferenceGrant finds all Gateways that may be affected by a change to a
+// ReferenceGrant and enqueues them for reconciliation. This function handles grants
+// for both cross-namespace BackendRefs (from Routes) and cross-namespace
+// SecretRefs (from Gateways).
+func (c *Controller) processReferenceGrant(obj interface{}) {
+	grant, ok := obj.(*gatewayv1beta1.ReferenceGrant)
+	if !ok {
+		tombstone, ok := obj.(cache.DeletedFinalStateUnknown)
+		if !ok {
+			klog.Errorf("error decoding object, invalid type")
+			return
+		}
+		grant, ok = tombstone.Obj.(*gatewayv1beta1.ReferenceGrant)
+		if !ok {
+			klog.Errorf("error decoding object tombstone, invalid type")
+			return
+		}
+	}
+
+	gatewaysToEnqueue := make(map[string]struct{})
+	// The ReferenceGrant lives in the namespace of the resource being referenced (the "To" side).
+	targetNamespace := grant.Namespace
+
+	// Check for Grants allowing Routes to reference Services
+	for _, from := range grant.Spec.From {
+		// As the controller supports more route types, they should be added here.
+		if !CloudProviderSupportedKinds.Has(from.Kind) {
+			continue
+		}
+
+		// Check if the grant allows references TO a Service.
+		isServiceGrant := false
+		for _, to := range grant.Spec.To {
+			if to.Kind == "Service" {
+				isServiceGrant = true
+				break
+			}
+		}
+		if !isServiceGrant {
+			continue
+		}
+
+		// Find all routes in the "From" namespace that could be affected.
+		httpRoutes, err := c.httprouteLister.HTTPRoutes(string(from.Namespace)).List(labels.Everything())
+		if err != nil {
+			klog.Errorf("Failed to list HTTPRoutes in namespace %s: %v", from.Namespace, err)
+			continue
+		}
+
+		for _, route := range httpRoutes {
+			if routeReferencesBackendInNamespace(route, targetNamespace) {
+				// This route is affected. Find its parent Gateways and add them to the queue.
+				for _, parentRef := range route.Spec.ParentRefs {
+					if (parentRef.Group != nil && string(*parentRef.Group) != gatewayv1.GroupName) ||
+						(parentRef.Kind != nil && string(*parentRef.Kind) != "Gateway") {
+						continue
+					}
+					gwNamespace := route.Namespace
+					if parentRef.Namespace != nil {
+						gwNamespace = string(*parentRef.Namespace)
+					}
+					key := gwNamespace + "/" + string(parentRef.Name)
+					gatewaysToEnqueue[key] = struct{}{}
+				}
+			}
+		}
+	}
+
+	// Check for Grants allowing Gateways to reference Secrets
+	for _, from := range grant.Spec.From {
+		// We are looking for grants FROM Gateways.
+		if from.Group != gatewayv1.GroupName || from.Kind != "Gateway" {
+			continue
+		}
+
+		// Check if the grant allows references TO a Secret.
+		isSecretGrant := false
+		for _, to := range grant.Spec.To {
+			if to.Kind == "Secret" {
+				isSecretGrant = true
+				break
+			}
+		}
+		if !isSecretGrant {
+			continue
+		}
+
+		// Find all Gateways in the "From" namespace that could be affected.
+		gateways, err := c.gatewayLister.Gateways(string(from.Namespace)).List(labels.Everything())
+		if err != nil {
+			klog.Errorf("Failed to list Gateways in namespace %s: %v", from.Namespace, err)
+			continue
+		}
+
+		for _, gw := range gateways {
+			if gatewayReferencesSecretInNamespace(gw, targetNamespace) {
+				// This Gateway is affected. Add it to the queue.
+				key := gw.Namespace + "/" + gw.Name
+				gatewaysToEnqueue[key] = struct{}{}
+			}
+		}
+	}
+
+	// Enqueue all unique Gateways that were found to be affected.
+	for key := range gatewaysToEnqueue {
+		c.gatewayqueue.Add(key)
+	}
+}
+
+// routeReferencesBackendInNamespace is a helper to check if an HTTPRoute has a backendRef
+// pointing to the specified namespace.
+func routeReferencesBackendInNamespace(route *gatewayv1.HTTPRoute, namespace string) bool {
+	for _, rule := range route.Spec.Rules {
+		for _, backendRef := range rule.BackendRefs {
+			backendNamespace := route.Namespace
+			if backendRef.Namespace != nil {
+				backendNamespace = string(*backendRef.Namespace)
+			}
+			if backendNamespace == namespace {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+// gatewayReferencesSecretInNamespace is a helper to check if a Gateway has a certificateRef
+// pointing to a Secret in the specified namespace.
+func gatewayReferencesSecretInNamespace(gateway *gatewayv1.Gateway, namespace string) bool {
+	for _, listener := range gateway.Spec.Listeners {
+		if listener.TLS == nil {
+			continue
+		}
+		for _, certRef := range listener.TLS.CertificateRefs {
+			// We only care about references to Secrets.
+			if (certRef.Group != nil && *certRef.Group != "") || (certRef.Kind != nil && *certRef.Kind != "Secret") {
+				continue
+			}
+			secretNamespace := gateway.Namespace
+			if certRef.Namespace != nil {
+				secretNamespace = string(*certRef.Namespace)
+			}
+			if secretNamespace == namespace {
+				return true
+			}
+		}
+	}
+	return false
+}
+
 func (c *Controller) runGatewayWorker(ctx context.Context) {
 	for c.processNextGatewayItem(ctx) {
 	}

pkg/gateway/gateway.go

@@ -168,7 +168,7 @@ func (c *Controller) buildEnvoyResourcesForGateway(gateway *gatewayv1.Gateway) (
 	}
 
 	// validate listeners that may reuse the same port
-	conflictedListenerConditions := c.validateListeners(gateway)
+	listenerValidationConditions := c.validateListeners(gateway)
 
 	finalEnvoyListeners := []envoyproxytypes.Resource{}
 	// Process Listeners by Port
@@ -185,7 +185,7 @@ func (c *Controller) buildEnvoyResourcesForGateway(gateway *gatewayv1.Gateway) (
 			listenerStatus := gatewayv1.ListenerStatus{
 				Name:           gatewayv1.SectionName(listener.Name),
 				SupportedKinds: []gatewayv1.RouteGroupKind{},
-				Conditions:     []metav1.Condition{},
+				Conditions:     listenerValidationConditions[listener.Name],
 				AttachedRoutes: 0,
 			}
 			supportedKinds, allKindsValid := getSupportedKinds(listener)
@@ -203,19 +203,30 @@ func (c *Controller) buildEnvoyResourcesForGateway(gateway *gatewayv1.Gateway) (
 				continue // Stop processing this invalid listener
 			}
 
-			if conflictCondition, isConflicted := conflictedListenerConditions[listener.Name]; isConflicted {
-				// This listener is conflicted. Set its status and skip it.
-				meta.SetStatusCondition(&listenerStatus.Conditions, conflictCondition)
+			isConflicted := meta.IsStatusConditionTrue(listenerStatus.Conditions, string(gatewayv1.ListenerConditionConflicted))
+			// If the listener is conflicted set its status and skip Envoy config generation.
+			if isConflicted {
 				allListenerStatuses[listener.Name] = listenerStatus
-				continue // DO NOT generate Envoy config for this listener
+				continue
+			}
+
+			// If there are not references issues then set it to tru
+			if !meta.IsStatusConditionFalse(listenerStatus.Conditions, string(gatewayv1.ListenerConditionResolvedRefs)) {
+				meta.SetStatusCondition(&listenerStatus.Conditions, metav1.Condition{
+					Type:               string(gatewayv1.ListenerConditionResolvedRefs),
+					Status:             metav1.ConditionTrue,
+					Reason:             string(gatewayv1.ListenerReasonResolvedRefs),
+					Message:            "All references resolved",
+					ObservedGeneration: gateway.Generation,
+				})
 			}
 
 			switch listener.Protocol {
 			case gatewayv1.HTTPProtocolType, gatewayv1.HTTPSProtocolType:
 				// Process HTTPRoutes
 				// Get the routes that were pre-validated for this specific listener.
 				for _, httpRoute := range routesByListener[listener.Name] {
-					routes, validBackendRefs, resolvedRefsCondition := translateHTTPRouteToEnvoyRoutes(httpRoute, c.serviceLister)
+					routes, validBackendRefs, resolvedRefsCondition := translateHTTPRouteToEnvoyRoutes(httpRoute, c.serviceLister, c.referenceGrantLister)
 
 					key := types.NamespacedName{Name: httpRoute.Name, Namespace: httpRoute.Namespace}
 					currentParentStatuses := httpRouteStatuses[key]
@@ -276,15 +287,6 @@ func (c *Controller) buildEnvoyResourcesForGateway(gateway *gatewayv1.Gateway) (
 
 			filterChain, err := c.translateListenerToFilterChain(gateway, listener, vhSlice, routeName)
 			if err != nil {
-				// If translation fails, a reference is unresolved. Set both conditions to False.
-				klog.Errorf("Error translating listener %s to filter chain: %v", listener.Name, err)
-				meta.SetStatusCondition(&listenerStatus.Conditions, metav1.Condition{
-					Type:               string(gatewayv1.ListenerConditionResolvedRefs),
-					Status:             metav1.ConditionFalse,
-					Reason:             string(gatewayv1.ListenerReasonInvalidCertificateRef),
-					Message:            fmt.Sprintf("Failed to resolve references: %v", err),
-					ObservedGeneration: gateway.Generation,
-				})
 				meta.SetStatusCondition(&listenerStatus.Conditions, metav1.Condition{
 					Type:               string(gatewayv1.ListenerConditionProgrammed),
 					Status:             metav1.ConditionFalse,
@@ -293,14 +295,6 @@ func (c *Controller) buildEnvoyResourcesForGateway(gateway *gatewayv1.Gateway) (
 					ObservedGeneration: gateway.Generation,
 				})
 			} else {
-				// Only if ALL checks pass, set the conditions to True.
-				meta.SetStatusCondition(&listenerStatus.Conditions, metav1.Condition{
-					Type:               string(gatewayv1.ListenerConditionResolvedRefs),
-					Status:             metav1.ConditionTrue,
-					Reason:             string(gatewayv1.ListenerReasonResolvedRefs),
-					Message:            "All references resolved",
-					ObservedGeneration: gateway.Generation,
-				})
 				meta.SetStatusCondition(&listenerStatus.Conditions, metav1.Condition{
 					Type:               string(gatewayv1.ListenerConditionProgrammed),
 					Status:             metav1.ConditionTrue,